According to the BABOK® v3 guide, the purpose of the Assess Risks task is the following:
Assessing risks is about analyzing the risks and also actively managing their potential impact on the solution underway. You might identify risks associated with the current state, the desired future state, a specific change or change strategy, or any other area within the enterprise.
The reasons why risks are analyzed is to understand the possible consequences if a potential risk should actually occur, to understand the real impact of those consequences, how likely it is for the risk to eventuate, and the timeframe of when this risk might occur.
If you understand the risks that exist within the context in which you are working, you are in a much better position to make decisions relating to the risk and you can prepare yourself for managing the risk if it should materialize.
Let's now consider a common example of identifying and managing risks:
Let's say you are required to implement a change to allow "card not present" type transactions within a banking environment. You are aware of the possible fraud risks associated with this transaction type and because of this you can document, prepare for, and manage those risks in a structured and controlled way.
In this case, you will also be able to make informed decisions when all the risks are known about whether the organization is willing to accept these risks by continuing with the implementation.
Now that we have an overview of the scope of assessing risks, we will delve into the key elements that you should consider when performing this task as a business analyst in practice.